Re: NSA software in Debian
Marko Randjelovic: > On Wed, 22 Jan 2014 12:24:27 +1100 > Russell Coker wrote: > >> The possibility of LSM hooks being used to hide a kernel rootkit is >> widely cited. But most sysadmins aren't going to find a kernel >> rootkit anyway so using a non-LSM security system for that reason is >> trading off the real benefit of being able to save time and effort >> in maintaining systems for the probably impossible theoretical >> benefit of not using LSM. > > If I cannot prove there is a rootkit, then I cannot be sure there is a > rootkit, but neither can I be sure the is *not* a rootkit. And merely > because you cannot know you are secure, you *feel* insecure. > Furthermore, your computer may be abused to attack other computers, > even to make a botnet. And though you cannot know the attacker is > doing against your interests, neither you can know the opposite and > again, this generates feeling of insecurity. I do not see which implications that has for LSM. > And if you neglect this, you are unconsciously submitting to the > aggressor. I am not aware of anybody here doing that. Cheers, Andreas -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/52e27948.4010...@ping.de
Re: NSA software in Debian
Marko Randjelovic: > Octavio Alvarez wrote: >> I wouldn't worry about SELinux specifically. > > As I already pointed out, there is something: > http://lists.debian.org/20140120005556.612de...@eunet.rs And Russel Coker carefully explained in his reply to your mail why that approach does not help to improve security. Cheers, Andreas -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/52e01e9c.3080...@ping.de
Re: NSA software in Debian
Kevin Olbrich: > Is SELinux disabled on new debian installs? The SELinux packages are optional. The default kernel is configured so that SELinux (or another LSM) can be enabled after the packages have been installed. Cheers, Andreas -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/52ddac6d.4020...@ping.de
Re: NSA software in Debian
Marko Randjelovic: > SELinux security benefits are vague because it makes possible to > use it's hooks to add a backdoor which would be nearly impossible > to detect: > > https://www.rsbac.org/documentation/why_rsbac_does_not_use_lsm > https://grsecurity.net/lsm.php SELinux, AppArmor, Smack and Tomoyo are using the Linux Security Module (LSM) framework. I am aware of the claims made by grsecurity regarding LSM, but I do not agree with several of them. > Consider alternatives like PaX/grsecurity and RSBAC. Both seem to be compatible with SELinux. Cheers, Andreas -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/52dcd31c.7010...@ping.de
Re: NSA software in Debian
Bjoern Meier: > http://en.wikipedia.org/wiki/Security-Enhanced_Linux I proposed this Debian Release Goal: https://wiki.debian.org/ReleaseGoals/SELinux Cheers, Andreas -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/52dbb409.5080...@ping.de
Re: End-user laptop firewall available?
Richard Owlett: > I chose phrasing of subject line to emphasize some peculiarities of my > needs. > > End-user emphasizes: > - I am *NOT* an expert > - my system is never intended to be a "server" > > Laptop indicates: > - small standalone system intended to operate primarily *WITHOUT* any > networking > > When connected to internet it will be: > - primarily for browsing, email, Usenet > - occasionally used for downloading small files using HTTP *NOT* > (never?) FTP > > The "fly in ointment" will be: >The typical internet connection will be with a USB dial-up modem. >When I desire to browse complex website or download a large set of > files, > I will carry it to a local library and use a WiFi connection. > > A couple months of reading has left me confused as to a suitable firewall. > > Any help/direction appreciated. This is a good question and I think that such use cases should best be supported by the Debian Installer. Cheers, Andreas -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/52a468ee.5070...@ping.de
Re: SSL for debian.org/security?
Hans-Christoph Steiner: > The crypto smartcard (aka Hardware Security Module) are some work to setup, > but not really all that much. And they are easy to use once setup. And they > provide a huge boost in the security of the certificate. Such hardware also costs a significant amount of money. Are there better ways to spend money to improve the security ? Cheers, Andreas -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/5281c93a.8040...@ping.de
Re: Does JDK7 security hole affect OpenJDK6?
I found CVE-2013-0422 on the TODO list: https://security-tracker.debian.org/tracker/status/todo Cheers, Andreas --- Andreas Kuckartz: > David Gerard: >> I would assume the recent JDK7 hole would also affect OpenJDK7, given >> they're pretty much the same codebase. >> >> But OpenJDK6 is based on OpenJDK7, cut down to pass JCK6. Has anyone >> checked if OpenJDK6 is vulnerable? > > CERT states this: > > "Systems Affected > > Any system using Oracle Java 7 (1.7, 1.7.0) including > > Java Platform Standard Edition 7 (Java SE 7) > Java SE Development Kit (JDK 7) > Java SE Runtime Environment (JRE 7) > OpenJDK 7 and 7u > IcedTea 2.x (IcedTea7 2.x) > > All versions of Java 7 through update 10 are affected. Web browsers > using the Java 7 plug-in are at high risk." > > "Revision History > > January 10, 2013: Initial release > January 14, 2013: Added fix information per Java 7u11 release > January 15, 2013: Added OpenJDK and IcedTea to Systems Affected" > > http://www.us-cert.gov/cas/techalerts/TA13-010A.html > > Debian states that OpenJDK6 and OpenJDK7 are not vulnerable regarding > CVE-2013-0422: > https://security-tracker.debian.org/tracker/CVE-2013-0422 > https://security-tracker.debian.org/tracker/source-package/openjdk-7 > > *But* > > "There's currently a technical problem with the Tracker not updating > from the database." > http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=690774#15 > > Maybe that security tracker issue has not yet been resolved? > > Cheers, > Andreas > > -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/50f7d0e4.1050...@ping.de
Re: Does JDK7 security hole affect OpenJDK6?
David Gerard: > I would assume the recent JDK7 hole would also affect OpenJDK7, given > they're pretty much the same codebase. > > But OpenJDK6 is based on OpenJDK7, cut down to pass JCK6. Has anyone > checked if OpenJDK6 is vulnerable? CERT states this: "Systems Affected Any system using Oracle Java 7 (1.7, 1.7.0) including Java Platform Standard Edition 7 (Java SE 7) Java SE Development Kit (JDK 7) Java SE Runtime Environment (JRE 7) OpenJDK 7 and 7u IcedTea 2.x (IcedTea7 2.x) All versions of Java 7 through update 10 are affected. Web browsers using the Java 7 plug-in are at high risk." "Revision History January 10, 2013: Initial release January 14, 2013: Added fix information per Java 7u11 release January 15, 2013: Added OpenJDK and IcedTea to Systems Affected" http://www.us-cert.gov/cas/techalerts/TA13-010A.html Debian states that OpenJDK6 and OpenJDK7 are not vulnerable regarding CVE-2013-0422: https://security-tracker.debian.org/tracker/CVE-2013-0422 https://security-tracker.debian.org/tracker/source-package/openjdk-7 *But* "There's currently a technical problem with the Tracker not updating from the database." http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=690774#15 Maybe that security tracker issue has not yet been resolved? Cheers, Andreas -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/50f7cc8e.6010...@ping.de
